Analysis
-
max time kernel
62s -
max time network
67s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-05-2022 07:16
Behavioral task
behavioral1
Sample
No.Starch.Practical.Packet.Analysis.3rd.Edition.2017.pdf
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
No.Starch.Practical.Packet.Analysis.3rd.Edition.2017.pdf
Resource
win10v2004-20220414-en
General
-
Target
No.Starch.Practical.Packet.Analysis.3rd.Edition.2017.pdf
-
Size
24.1MB
-
MD5
9573dfb54ca71b9f460f5d37b1b4e8c6
-
SHA1
471c962645ee79054bd727a95c8a7c40c3132ae4
-
SHA256
9708b2203c9eef8ff9398392810beba96db4354eb0d5c1a55d9838124ec9ea14
-
SHA512
335cb8a90a27f8ca1dc7592431a1dcad5e703a501885e8bd470cf9d26229972bd837f17f0ce7e302b0579153e54689aa2bb9f256cb74bce32594922fa89c4010
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AcroRd32.exepid process 1832 AcroRd32.exe 1832 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 1832 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 1832 AcroRd32.exe 1832 AcroRd32.exe 1832 AcroRd32.exe 1832 AcroRd32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
AcroRd32.exedescription pid process target process PID 1832 wrote to memory of 1944 1832 AcroRd32.exe RdrCEF.exe PID 1832 wrote to memory of 1944 1832 AcroRd32.exe RdrCEF.exe PID 1832 wrote to memory of 1944 1832 AcroRd32.exe RdrCEF.exe PID 1832 wrote to memory of 4828 1832 AcroRd32.exe RdrCEF.exe PID 1832 wrote to memory of 4828 1832 AcroRd32.exe RdrCEF.exe PID 1832 wrote to memory of 4828 1832 AcroRd32.exe RdrCEF.exe PID 1832 wrote to memory of 3716 1832 AcroRd32.exe RdrCEF.exe PID 1832 wrote to memory of 3716 1832 AcroRd32.exe RdrCEF.exe PID 1832 wrote to memory of 3716 1832 AcroRd32.exe RdrCEF.exe PID 1832 wrote to memory of 2404 1832 AcroRd32.exe RdrCEF.exe PID 1832 wrote to memory of 2404 1832 AcroRd32.exe RdrCEF.exe PID 1832 wrote to memory of 2404 1832 AcroRd32.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\No.Starch.Practical.Packet.Analysis.3rd.Edition.2017.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵